User Guide
security (System.security) 1057
In any cross-domain situation, two parties are involved, and it's important to be clear about
which side is which. For the purposes of this discussion, the side performing the cross-
scripting is called the accessing party (usually the accessing SWF), and the other side is called
the party being accessed (usually the SWF being accessed). To continue the example, when
movieA.swf scripts movieB.swf, movieA.swf is the accessing party, and movieB.swf is the party
being accessed.
Cross-domain permissions that are established with
System.security.allowDomain() are
asymmetrical. In the previous example, movieA.swf can script movieB.swf, but movieB.swf
cannot script movieA.swf, because movieA.swf has not called
System.security.allowDomain() to give othersite.com permission to script movieA.swf.
You can set up symmetrical permissions by having both SWF files call
System.security.allowDomain().
In addition to protecting SWF files from cross-domain scripting originated by other SWF
files, Flash Player protects SWF files from cross-domain scripting originated by HTML files.
HTML-to-SWF scripting can be performed with older Flash browser functions such as
SetVariable or callbacks established by using ExternalInterface.addCallback(). When
HTML-to-SWF scripting crosses domain boundaries, the SWF file being accessed must call
System.security.allowDomain(), just as when the accessing party is a SWF file, or the
operation will fail.
Specifying an IP address as a parameter to
System.security.allowDomain() does not
permit access by all parties that originate at the specified IP address. Instead, it permits access
only by parties that were loaded by explicitly specifying that IP address in their URLs, rather
than by a domain name that maps to that IP address.